X.Org Foundation OFFICIAL SECURITY ADVISORY 2004-09-15
Leon Shiman
leon at magic.shiman.com
Wed Sep 15 13:20:18 PDT 2004
X.Org Foundation OFFICIAL SECURITY ADVISORY 2004-09-15
=======================================================
Brookline MA, September 15, 2004 - X.Org has been made aware of a
possible security vunerability in libXpm, the X Pixmap library which
is shipped as part of the X Window System. The affected library is
used in many popular application for image viewing and manipulation.
Several stack overflows and integer overflows have been identified
which may allow malicious XPM files to crash applications linking
against libXpm. Furthermore the overflows may also be exploited to
execute code under the account of the user running an appllication
linked against libXpm.
The CVE numbers for these vulnerabilities are CAN-2004-0687 (integer
overflows) and CAN-2004-0688 (stack overflows).
Please check also:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0687
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0688
This advisory affects all known versions and releases of the
X Window System shipping versions of libXpm, whether from X.Org or
other vendors. Therefore users are strongly recommended to upgrade.
A fix is now available from X.Org at:
http://www.x.org/pub/X11R6.8.0/patches/
X.Org will provide a complete security update release for X11R6.8.0. On
September 16, the Official Release will be announced and available from
X.Org.
Vendors shipping releases of the X Window System have already been informed
and will provide updates for their software.
The X.Org Foundation would like to thank Chris Evans for identifying
the security exploits as well as Matthieu Herrb and Alan Coopersmith
for providing a patch.
More information about the xorg
mailing list